Description of problem: If the pam_unix.so "nullok" flag is present (which it is by default on FC) then the PAM effectively ignores pam_authenticate()'s PAM_DISALLOW_NULL_AUTHTOK flag. This seems wrong, since the correct thing would appear to be to use the more restrictive of the two (ie nullok && !PAM_DISALLOW_NULL_AUTHTOK). It means that a PAM-using application may permit access without authentication even though it has explicitly requested that this not be allowed (hence severity of "security"). I will attach a testcase (which requires a user "testuser" with no password in order to work). Version-Release number of selected component (if applicable): pam-0.77-40 How reproducible: Always Steps to Reproduce: 1. Ensure pam_unix in /etc/pam.d/system-auth contains the "nullok" flag (this the default). 2. Call pam_authenticate with the PAM_DISALLOW_NULL_AUTHTOK flag (such as attached testcase). 3. Note that it succeeds without further authentication. Actual Results: $ gcc ignore-disallow-nullauthtok.c -lpam $ sudo ./a.out NOTE: this test requires a user 'testuser' with no password pam_start result 0 (Success) pam_authenticate result 0 (Success) FAIL: Authentication allowed despite DISALLOW_NULL_AUTHTOK Expected Results: $ sudo ./a.out NOTE: this test requires a user 'testuser' with no password pam_start result 0 (Success) pam_authenticate conversation my_conv1 called pam_authenticate result 7 (Authentication failure) PASS: did not permit authentication Additional info:
Created attachment 101553 [details] ignore-disallow-nullauthtok.c: testcase for flag ignoring bug.
I will attach a patch for this.
Created attachment 103588 [details] Proposed patch
It's in.